Internal PKI Certificate Policy

Overview

Internal Public Key Infrastructure-Smart Card (IPKI/SC) provides identity management and verification for all USPTO employees and contractors through the use of SmartCards (SCs).  Digital credentials issued by the Internal PKI are used to encrypt and sign sensitive information and provide strong login authentication to computers and networks, while the internal proximity chip allows building access only to approved personnel. The IPKI/SC operates under the below Certificate Policy (CP). The CP defines the process and infrastructure that generates public and private keys that will tie a unique digital identity to each USPTO employee and contractor. This CP only applies to certificates issued by the USPTO Internal CA (certificates issued to the USPTO employees and contractors). This CP does not apply to certificates provided to external USPTO customers that use their digital credentials to access EFSWeb/eFile (Registered) or Private PAIR.

Expired or Revoked Certificates

One of the most important principles of PKI is proper certificate validation.  Not only must the certificate be within its validity period at the time it is presented, but the certificate must also be checked against a current Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) to verify that it has not been revoked.  Unless this verification is performed, the end entity or service provider has no assurance of the validity of the certificate that has been presented.  If authentication and authorization of the user can not be verified, this undermines any security that PKI would otherwise provide.  For this reason, CRL Distribution Points (CDP) are included with each issued certificate so, together with the certificate validity period, any party may verify the validity of the certificate.  Failure to verify the validity period of the certificate, perform a CRL check against a current CRL, or perform a validity check against the OCSP can result in a security breach.

The CRLs issued by this system can be found at the following locations:

 

IPKI/SC Documentation: